What is Mobile Lock?
Mobile Lock is an RSA product add-on designed to secure the authentication process within the RSA Authenticator app for iOS and Android.
How is Mobile Lock installed?
Mobile Lock is integrated within the RSA Authenticator app. Once the RSA Authenticator app is installed on a device, there is no separate installation, device configuration, or permission required.
How does Mobile Lock work?
Mobile Lock uses advanced machine learning-base behavior detection to identify threats from a configurable catalog. When a CRITICAL threat is detected, the authentication process is restricted until the threat is resolved. This restriction does not affect any other applications of features on the device.
I’ve heard about Zimperium. What is it?
RSA has developed Mobile Lock in partnership with Zimperium, a leader in Mobile Threat Detection (MTD). RSA is licensing certain Zimperium capabilities as part of Mobile Lock. As an RSA client for Mobile Lock, you don't need a separate agreement with Zimperium.
What do I need to use Mobile Lock?
- A commercial agreement with RSA: Mobile Lock is either available as part of, or as an add-on to RSA ID Plus commercial packages.
- RSA Authenticator for iOS and Android: Mobile started to be supported in V4.1.5, but V4.3 is required to access the full functionality. The RSA Authenticator app for IOS and Android does not need any additional permissions when the Mobile Lock feature is enabled.
- Administrators can then enable Mobile Lock from the Cloud Authentication Service (CAS) Administration Console. See detailed information at Configure Company Information and Certificates. Mobile Lock is disabled by default.
Note: If an organization has multiple Cloud Authentication Service tenants, administrators will need to configure Mobile Lock for each tenant. The organization will then have access to a Mobile Lock Console account for each Cloud Authentication Service tenant for which Mobile Lock has been enabled.
Where is the RSA Mobile Lock documentation?
The general RSA Mobile Lock documentation is available from the RSA Community, search for Mobile Lock.
What is the RSA Mobile Lock Console?
This is the administration interface for Mobile Lock, distinct from the RSA Cloud Authentication Administration Console.
When a CAS administrator first enables Mobile Lock, he will also be initial administrator for the Mobile Lock console and will receive an email with information on how to access it. He can then add more users to the Mobile Lock console.
Where is the RSA Mobile Lock Console hosted?
The RSA Mobile Lock console is only hosted in the USA.
What is the support Model for RSA Mobile Lock?
The RSA Help desk provides support for any issues or questions related to RSA Mobile Lock and its console. When raising an RSA Mobile Lock case, please include the name of the Mobile Lock account, which is visible on the top right side of te banner, by the gear icon. If required, the RSA help desk will then escalate issue to RSA partner, Zimperium.
What are the roles available in the Mobile Lock Console?
The initial Mobile Lock administrator will be given the ‘Client Admin’ role on Mobile Lock, with general access and configuration rights. Other users can be assigned the same role, or a ‘read only’ role. The ‘read only’ would be typically associated with IT help desk users, in need to access information about devices and detected threats on the Mobile Lock Console, to help them resolve detected threats.
What should be configured first in Mobile Lock?
The most important configuration to review in Mobile Lock is the current threat list to adjust it to your organization’s needs.
Each threat may have three different ‘behaviors’ related to Mobile Lock:
- Disabled: the threat is neither monitored nor impacting end users.
- Enabled, with Severity other than “Critical”: When detected, the threat will be reported in the Mobile Lock Console, but will not impact in any way the user of the RSA Authenticator application.
- Enabled, with Severity set to ‘Critical”: When detected, the threat will be reported on the Mobile Lock and will block the authentication process on the RSA Authenticator application on the device impacted.
How can I configure the Threat policy?
As user with 'Client Admin' role, you can either modify the setting in the current threat policy applied, or create a new threat policy, and use this new threat policy as part of the overall configuration. We recommend creating a new threat policy to keep the default RSA one as a baseline. To create a new threat policy, do the following:
- Log into the Mobile Lock Console.
- Navigate to Policy/Threat.
- Clone an existing policy (
).
- Modify the cloned policy according to your need and save it with your name.
- Navigate to Policy/Groups.
- Edit the 'Default' group setting to use as a threat policy the newly created one.
You can decide to define a policy for "monitoring' only, where no enabled threats are marked as 'Critical' to evaluate occurrences of these threats without impacting end users. Then, depending on the result of this 'monitoring' policy, you can decide which threats should be enabled as 'Critical' and block authentication.
Note that, for any Mobile Lock account enabled for the 1st time after the CAS june 2024 release, the default policy will be 'monitoring' only, allowing organizations to switch on and test easily Mobile Lock without impacting end users.
What are the settings which should not be modified in the Mobile Lock Console?
Client Administrators should not modify the settings related to Privacy. RSA has set the privacy policy to store no Personally Identifiable Information (PII) or Personal Data (PD) in the Mobile Lock Console, maintaining compliance with data privacy laws such as General Data Protection Regulation (GDPR).
What threats can Mobile Lock protect against?
Mobile Lock can detect and protect against various threats, including abnormal process activity, compromised devices, and unsecured network connections. Below is the list of threats that Mobile Lock can detect and protect against as of April 2024. This list will continue to evolve with the addition of new threats and the removal of legacy or deprecated ones.
| Category | Specific Threats |
| Device Integrity & Compliance | Device Failed Basic Integrity Check |
| Device Failed Integrity Check | |
| Device Failed Strong Integrity Check | |
| Operating System | OS Not Compliant - Android |
| OS Not Compliant - iOS | |
| OS Not Compliant and Not Upgradable - Android | |
| OS Not Compliant and Not Upgradable - iOS | |
| Actively Exploited Android Version | |
| Actively Exploited iOS Version | |
| OS Upgrade Available - iOS | |
| OS Upgrade Available - Android | |
| Applications | Sideloaded App(s) |
| Sideloaded App from High-Risk App Store | |
| App Tampering | |
| App Running on Emulator | |
| Network Security | Unsecured WiFi Network |
| Rogue Access Point | |
| MITM (Man-In-The-Middle) Attacks (ARP, Fake SSL, ICMP) | |
| Device Configuration | Developer Options |
| USB Debugging Mode | |
| Unknown Sources Enabled | |
| Device Encryption | |
| Malicious iOS Shortcut Found | |
| Risky iOS Shortcut Found | |
| Compromised by Spyware | |
| Cellular Interception | |
| Debugging and Tampering | Android Debug Bridge (ADB) Apps Not Verified |
| Android Debug Bridge (ADB) Wi-Fi Enabled | |
| Device Jailbroken/Rooted | |
| System Tampering | |
| Accessibility and Privacy | Accessibility Active |
| Screen Sharing Active | |
| Screen Sharing Suspected | |
| Software Updates and Protections | iOS Rapid Security Response Available |
| Google Play Protect Disabled | |
| Over-The-Air (OTA) Updates Disabled |
Where can I find more detailed information about the Mobile Lock Console?
In the Mobile Lock Console, at the bottom of the left menu bar, there is a Docs link to the full online documentation from RSA partner, Zimperium.
Search for the zDefend user guide. ZDefend is the Zimperium product used to deliver RSA Mobile Lock.
Why does the Zimperium documentation include certain features that are not available in the Mobile Lock Console?
Zimperium has its own Mobile Threat Detection (MTD) product offering using a dedicated mobile application, which includes features not part of the Mobile Lock use case.
As an example, the Zimperium Mobile Application, in conjunction with an installed MDM, can be configured to detect phishing attacks. Phishing detection is not part of the Mobile Lock use case, and therefore the phishing feature, while mentioned in Zimperium documentation, is not visible/accessible from the Mobile Lock Console.
Why does the Zimperium documentation list more threats than what is available in the Mobile Lock Console?
Zimperium has its own Mobile Threat Detection (MTD) solution, based on its own Mobile application, which is always on, always active, and can interact tightly with installed MDM. As such, it can detect certain threats that are not part of the RSA Mobile Lock use case. Not all the threats documented in the Zimperium documentation are therefore visible from the Mobile Lock Console.
How can i use the SSO feature in Mobile Lock Console?
This requires specific enablement by RSA. Please refer to the following article for detailed steps to enable this feature.
Can a threat be resolved from the Mobile Lock Console?
A threat detected on a mobile device can only be resolved by action on the device. However, it is possible to change the configuration to prevent a given threat from blocking the authentication process on all mobile devices:
- Adjusting Severity level: Changing the Severity level of an enabled threat from ‘Critical’ to another level will no longer cause the Authentication process to be blocked when this threat is detected, but the threat will still be reported in the Console. Once applied, this setting could take a few seconds to propagate to all devices, or the user must refresh its screen for the Authentication process to be unblocked.
- Disabling Mobile Lock: Using the Cloud Authentication Service Administration Console to disable Mobile Lock will stop all threat detections on all mobile devices.
Can a Mobile Lock 'Authentication Restricted' event be overridden?
This will require RSA Authenticator for iOS and Android V4.4 or higher. Client Administrator will then be able to override Mobile Lock for a given user for a specific amount of time.
For example, if the user needs to authenticate within a limited timeframe, and the detected threat is deemed les critical than he necessity for authentication, administrators will be able to do this from the user's profile view in the RSA Cloud Authentication Service.
Can I identify the user impacted by a given detected threat on the Mobile Lock Console?
Due to data privacy considerations, RSA does not store user’s Personally Identified Information (PII) II or Personal Data (PD) in the Mobile Lock Console, so this is not possible from the Mobile Lock Console. So, identifying a named user from the Mobile Lock console is not possible.
However, from RSA Authenticator app for iOS and Android V4.4, RSA includes the Mobile Lock Device ID in the ‘All users’ report available from the Cloud Authentication Service Administration Console. This will then allow:
- Administrators to link RSA users with specific devices or threats reported in the Mobile Lock Console.
- Information Systems aggregating data from both the Cloud Authentication Service and the RSA Mobile Lock to correlate RSA users with Mobile Lock reported threats.
Is there an audit log in the Mobile Lock Console?
Yes. Click the gear icon on the top right menu bar, and then select Audit Log. The content of this log can be exported.
What type of telemetry data is available from Mobile Lock?
From the Mobile Lock Console, it is possible to configure a ‘data export’ to get data into different formats/different systems, including various SIEMS.
Click the gear icon on the top right menu bar, and then select Data Export. Please check the Zimperium documentation for a full explanation of this feature.
Aligned with the release of RSA Authentication V4.4, Telemetry about Mobile Lock events will also be added to the Cloud Authentication Service Log system.
